Google has been offering support for two-step verification for years, but now there’s another option for proving you are who you say you are. You can now use a physical USB device plugged into your computer to access your Google account via Chrome in addition to your password. Google calls this Security Key. Using Security Key means your physical presence (or at least the presence of your keychain) is needed to log into Google, making it all but impossible for a remote attacker to gain access to your account, protecting you from most of the malicious hacks you hear about.

The goal of two-step verification in general is to make account access more secure by requiring a password plus something else. The characters that make up your password — even a very complex one — can be typed into any keyboard anywhere in the world. You don’t need to be anywhere nearby or even aware that someone is accessing your account. Google and other companies include tools that can help you remain aware of when and from where your online profile has been accessed (hey, that random login from Prague looks suspicious), but the only way to be sure is to add a second layer of security on top of the password. In this case, that means a USB key that plugs into your computer, but other methods include temporary PIN codes sent via SMS, applications that receive codes via a secure server.

Don’t dust off that USB thumbdrive in your drawer just yet, though. You can’t use any old USB device you have sitting around — Google’s Security Key implementation uses the open Universal 2nd Factor (U2F) protocol, which is maintained by the FIDO Alliance. It uses public key cryptography to create a single USB device that can authenticate with the service. A remote attacker won’t have your U2F USB device, so any attempts to gain access are doomed.

This is important because U2F isn’t only for Google. While it’s true that Google is adding support for U2F in its two-step account verification, the support is baked into Chrome. Any company that wants to take advantage of this highly secure access method can do so right now. All you need is a computer running Chrome v38 or higher, which is the current stable channel release.

One notable downside is that you really needChrome. Other browsers lack support for a U2F security dongle, meaning you’ll have to go back to SMS or app verification to get the one-time code for two-step verification when Chrome isn’t available. Security Key also isn’t supported on mobile devices like Android phones and iOS. Google notes that it hopes more desktop browser makers will at least add support for FIDO U2F so users can rely on the hardware verification method more frequently.

Google is including Security Key support on all accounts free of charge and it’s not even selling the USB devices directly. It’s actually nice to know that Google doesn’t have a financial stake in this move — it’s about making your data more secure. A compatible U2F USB device can be purchased from any a vendor that uses the standard, but most of the current options you’ll find come from Yubico and cost $15-50. As they say, that’s a small price to pay for peace of mind.

As far as we’re aware, you can’t yet make your own U2F USB key. The standard is open, however, so an open-source implementation might appear at some point in the future — assuming it doesn’t require a special hardware feature to be present on the USB stick, that is.

Tagged In

it’s just a joke use it or not, google is not a secure way to trust your data.

http://ikario.fr/ ikario

From my point of view, the real uses, is that it’s an open standards. So in that way we could do for other services (eg; your own mailserver, your own dataserv, fb, ello, whateveryouwant, …)

MisterBlat

“now there’s another option for proving you are who you say you are. “

That should make Dennis Green happy.

Dozerman

…and yet it still won’t defend you against that one asshole who decides to go piss while he’s logged in. A single rather embarrassing email to his boss’s boss usually puts an end to that, though.

Matt Menezes

If you have the ability to fall back to SMS, can that be done while using the USB key? If so, it seems like an attacker with your phone could get around the USB key.

PtolemyWasWrong

So, just a couple of weeks ago we read that USB has always been insecure, and is likely impossible to make secure, and now Google says ‘Trust Us’ – we’re using a USB stick.
Seems like journalistic whiplash to me.

Wally

Oh great, another lure Google will use to invade our privacy. That is the business model after all.

depends how you have set it up. (yes u have a problem when u one own one)
Usually you have services that manages all your USB keys on a website. When you loose one you can deactivate them through that website or add new ones

Also with Google, you can turn off two-factor authentocation at any time

nitemarejim

And what makes Google’s USB key any better than YubiKey, which has been around for years?? Their name?? With the media fawning all over them??

John

google hasnt launched anything, thats why this is such a bad article.
Google only added the functionality of using U2F 2nd factor authentication. This news comes mainly from Yubico.com who made this possible.

Gago Ka

do a research before writing an article

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2016 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.